2018 cybersecurity resolutions: check the health of your cyber compliance

We’re into the new year and it’s such an exciting time. Whether 2017 was a good year or a bad year, it’s in the books and over. And 2018 brings so much potential!

Now as we’re closing out January, it’s time for us to hold onto the resolutions we’ve made. Gyms were busy this month. Health food stores became very popular this month. Once February arrives, many resolutions are broken. Things are mostly back to normal. January is a time for personal resolutions, some lasting and some not so lasting.

My recommendation, make February a month to run a check-up on your cyber strength and the health of your cyber compliance.

There’s a few ways you can do this

James Capelen, Lead Security Infrastructure Architect at the Isle of Man Cabinet Office, shared his cyber resolution: “Maximize the use of the security products we have in place already and ensure we have all the basics covered effectively.”

I think Capelen is onto something. Regardless of budgets, we can always optimize what we currently have, to better secure our organizations. The “basics” apply to every organization, of any size – if you don’t have all the boxes for compliance checked, you don’t have the cybersecurity basics covered.

Why compliance is tricky

Compliance is tricky because it’s typically something that organizations don’t want to deal with unless they are schooled in the importance of cyber or one of their peers is breached and sees the repercussions. It’s hard to translate the importance of cybersecurity investment to the non-security business stakeholders, and in general, requirements do not typically excite people. Cybersecurity compliance requires many business functions who are usually not in communication to communicate with each other in order to accomplish a common goal.

In compliance, Information Technology architecture and teams, all your employees, and even third-parties are involved because attacks can come from anywhere. As cybersecurity is making its way to the forefront of business conversations, it’s clear that we need to rethink how we approach compliance. Industries are starting to approach compliance from a proactive standpoint encouraging the use of frameworks, and the government is cracking down on those who deal with critical government data.

The first step: know your frameworks and standards

The NIST Cybersecurity Framework (CSF), created by over 3,000 industry professionals–including some of my company’s own team members–at the National Institute of Standards and Technology is becoming a true gold standard of security across all industries. Compliance is usually seen as slow-moving, tedious work with laws, regulations, industry-specific standards.

However, in recent years, the NIST CSF has exceeded expectations for proactive adoption. The CSF is even becoming mandatory in some industries and according to Gartner, will reach 50% U.S. business adoption by 2020. The BBB states “not only are many companies requiring it (The NIST Cybersecurity Framework) of their vendors for procurement, but many businesses are adopting because it helps them run a better business”. The Framework is derived from NIST 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, which is another set of controls “developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA).”

NIST SP 800-171 is a set of 110 controls, making it a good introductory framework, and is required for all companies generating defense-related revenue under the Defense Federal Acquisition Regulation Supplement (DFARS) mandate. The mandate requires a Plan of Action and Mitigations (POAM) and System Security Plan (SSP), which are useful documents to help guide your organization’s program.

The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) developed the ISO27000 series, which has growing popularity. It provides a broad set of security best practices that can be applied to all types of organizations, no matter the size.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed by PCI Security Standard Council, which was formed by MasterCard, American Express, VISA, JCB and Discover. These controls focus on securing your customers’ cardholder information. PCI DSS is mandatory if your organization stores, processes and/or transmits cardholder data.

What to do now

If you’re already measuring yourself against a framework, then you have a great start. Take February to re-assess yourself against that framework. Also, consider adding another, perhaps more comprehensive framework, in case you might be missing something. There are various free tools that you can use to go through the controls, or you can use a platform like CyberStrong–which ingests all your best practices and operationalizes them in an automated fashion–or work with a third-party consulting firm to make sure you have all of the controls in place, can view your gaps, and see areas to improve.

January is about gyms and diets, and February is a bit of a 28-day lull before spring. Take advantage of February and make February about your job and your organization. Find your strengths and identify your vulnerabilities and create the plan for 2018 to address those vulnerabilities. Make February your month to do just that.